-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
admin: Add an unlock
command
#212
Conversation
FWIW I tested this on a current CentOS7 AH by copying You will also need to:
|
There is another option - we could provide a gated tool like:
which would ensure correct overwrites. It could even take |
Okay, see the above two commits. Right now overlayfs seems like a win, but I want to do more testing before I'm confident in it. |
|
||
<listitem><para> | ||
OSTree follows a default policy of retaining at most two deployments | ||
per OS. This option suppresses the default collection of any previous |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the default collection --> removal?
Ahh, or is it missing the word garbage?
I'm trying to improve the developer experience on OSTree-managed systems, and I had an epiphany the other day - there's no reason we have to be absolutely against mutating the current rootfs live. The key should be making it easy to rollback/reset to a known good state. I see this command as useful for two related but distinct workflows: - `ostree admin unlock` will assume you're doing "development". The semantics hare are that we mount an overlayfs on `/usr`, but the overlay data is in `/var/tmp`, and is thus discarded on reboot. - `ostree admin unlock --hotfix` first clones your current deployment, then creates an overlayfs over `/usr` persistent to this deployment. Persistent in that now the initramfs switchroot tool knows how to mount it as well. In this model, if you want to discard the hotfix, at the moment you roll back/reboot into the clone. Note originally, I tried using `rofiles-fuse` over `/usr` for this, but then everything immediately explodes because the default (at least CentOS 7) SELinux policy denies tons of things (including `sshd_t` access to `fusefs_t`). Sigh. So the switch to `overlayfs` came after experimentation. It still seems to have some issues...specifically `unix_chkpwd` is broken, possibly because it's setuid? Basically I can't ssh in anymore. But I *can* `rpm -Uvh strace.rpm` which is handy. NOTE: I haven't tested the hotfix path fully yet, specifically the initramfs bits.
Okay, squashed, and major changes in ⬆️ |
One thing I'm uncertain about...should |
* think we could do this a lot earlier and make all of the mounts | ||
* here just be relative. | ||
*/ | ||
orig_cwd_dfd = openat (AT_FDCWD, ".", O_RDONLY | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing declaration for orig_cwd_dfd
I tried to make a new Rawhide tree with the updated OSTree (after adding the declaration for Failed to switch root: Specified root path /sysroot does not seem to be an OS tree. os-release file is missing. |
Blah, was accidentally building without dracut. Will fix. |
@giuseppe I suspect that error was actually coreos/rpm-ostree#243 |
if (fchdir (child_deployment_dfd) < 0) | ||
exit (EXIT_FAILURE); | ||
(void) close (child_deployment_dfd); | ||
if (mount ("overlay", "/usr", "overlay", 0, ovl_options) < 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GCC complains about ovl_options
here (-Wmaybe-uninitialized). Easy fix:
diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c
index d4842fe..846e522 100644
--- a/src/libostree/ostree-sysroot.c
+++ b/src/libostree/ostree-sysroot.c
@@ -1718,9 +1718,6 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self,
switch (unlocked_state)
{
- case OSTREE_DEPLOYMENT_UNLOCKED_NONE:
- g_assert_not_reached ();
- break;
case OSTREE_DEPLOYMENT_UNLOCKED_HOTFIX:
{
/* Create the overlayfs directories in the deployment root
@@ -1755,6 +1752,9 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self,
ovl_options = glnx_strjoina ("lowerdir=usr,upperdir=", development_ovl_upper,
",workdir=", development_ovl_work);
}
+ default:
+ g_assert_not_reached ();
+ break;
}
/* Here we run `mount()` in a fork()ed child because we need to use
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, but then if we later add a new enum member we lose the warning that we're not handling an enum member in switch.
It's too bad gcc can't prove it's initialized here, because it is. But that gets into:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=18501
Anyways I pushed a fixup which initializes to NULL
then tells gcc it's not-NULL
after the switch.
That, and a pile of fixups for the "hotfix" code path. You can see all of my bugs individually! The other thing is I added some bits to drop |
Hmm, don't feel strongly either way. I guess I'd vote for the cmdline option so that admins are more conscious of what will happen. Will give this PR a spin now! This should make testing my package-layering stuff much less painful. |
Hmm, I can't get |
Hum. I'm testing on RHEL7.2 for what it's worth. Are you using Fedora? |
Yes, F23. Testing it the proper way now (I was directly overwriting ostree files 😇 ). |
Sweet, yes it works. Two things:
Will test this more tomorrow, but I really like it so far. |
Or maybe have the Version string be e.g. |
I'm not sure what you mean - the overlayfs is mounted and writable after reboot, no? Or are you saying it shouldn't be? I could see that...but allowing "relocking" would introduce a new state into the system... |
Ahh OK, I missed that. Yeah, I think it's fine that way. The simpler the better. BTW, I really like the |
Maybe...I think at the moment I really want to get the non-hotfix I suspect for most people the biggest win is a persistent package layering, since you often want something smarter than tarballs for software delivery. |
Agreed! I think both @giuseppe and I gave a 👍 for this during today's meeting. Just putting it here for the record. :) |
Awesome, merged to master. Thanks for the review and testing! |
Though I should drop in here that I still need to debug "Specifically |
travis: Disable email notifications
I'm trying to improve the developer experience on OSTree-managed
systems, and I had an epiphany (:thought_balloon:) the other day - there's no reason we
have to be absolutely against mutating the current rootfs live. The
key should be making it easy to rollback/reset to a known good state.
This new
unlock
command implements that by first "dup"ing thecurrent deployment, so you go back to it when rebooting (or with
--hotfix
, have it as a rollback target).Next, we use
rofiles-fuse
to point the mutable/sysroot/ostree/deploy/.../${thisdeployment}/usr
to/usr
. Wechoose
/usr
since this way we avoid the immutable bit and prettymuch everything is in
/usr
anyways.And then everything immediately explodes because the default (at least
CentOS 7) SELinux policy denies tons of things (including
sshd_t
access to
fusefs_t
). Sigh.I'm not sure...we could try to load a policy module that allowed this?
Alternatively...we could investigate
overlayfs
except that itself iscurrently known to be incompatible with SELinux too. Except we don't
need copy-up...